Cyberdefence : risks and issues for defence

Like the sea, cyberspace is a space of freedom and exchange for all those, ever more numerous, who move through it with greater or lesser levels of protection. As an infinite space whose riches attract the attention of some and arouse the keen interest of others, digital space often seems abstract, so that it needs to be made more concrete for decisionmakers to be able to grasp what is at stake. Linked to strategic priorities (trade, finance, transportation, culture, security, defence…), the data circulating in this space are indeed coveted. As a boundless medium, lending itself to anonymity and easily accessible to all, cyberspace is after all reminiscent of the maritime environment. Like it, it is a space of exchanges, of influence, where conflicts occur over control, whether lawful or not, of the riches it contains.

Like the maritime world, it is a space of confrontations between nations and must deal with the presence of pirates, who emerge more specifically from the Web’s deeper recesses.

Finally, these violent presences may attack institutions as well as economies or individuals.

 

Armed forces on the front lines, though not necessarily as a potential target

While pirates of the high seas act in a traditional fashion with conventional or crude weaponry, systems that are connected to cyberspace and their information exchange supports offer far greater exposure and are more accessible.

This vulnerability is also to be seen in defence systems, that however remain less exposed in peacetime. Attacks on warships from pirates have remained few and far between over past centuries due to the risks entailed in such actions and the scant merchant value of such targets.

A defence system, even though it is connected, may represent but one target among others for a pirate, neither more nor less exposed, but much better defended and much less interesting in mercantile terms. Such systems may on a given isolated occasion be the target of attacks and the victim of incidents, but these remain measured and answer the need nations have of acquiring intelligence within the context of the preparation of a potential conflict.

Knowledge at the heart of cyber

The preparation of an attack, or more generally, that of a conflict, always starts with intelligence gathering based on the exploitation of security flaws in the potential target. This proves indispensable in a cyberenvironment in order to:

• map the opponent’s infrastructures and the protections they enjoy, in as discreet a manner as possible to avoid detection, but in a continuous manner to stay abreast of the development of infrastructures and environments;
• identify vulnerabilities and gaps, which entails engaging in somewhat intrusive actions at the risk, as it happens, of leaving traces, and thus of setting a wise target on its guard;
• attempt to establish:
  • the profile of the opponent’s areas of expertise, so as to bring into play similar or even superior abilities before going on the offensive;
  • the aversion to cyberrisks of the opponent’s decision-making grades, so as to identify the management’s cyberdependence level and its ability to function without these systems;
• in the case of a less targeted attack, relatively unsophisticated tools are enough to reach many targets, causing visible disruptions;
• in the case of a very targeted attack, the idea is to create offensive modes of action to disrupt the opponent’s communications, paralyse his infrastructures, destroy his supports, steal/copy contents, etc. Each of the means must be defined, sized, designed and tested for a given target: every server, every network device, every password represents an obstacle that will need to be overcome in an adaptive and iterative fashion.

 

In the military area, the unavoidable delays in the collection of data or intelligence about enemy facilities make the hypothesis of an attack in support of a conventional attack more and more uncomfortable. For such a situation would suppose that the enemy be identified months or even years in advance, that targets have been predefined and the means of intervention preassigned and mobilized. At a more global level, this stage of information-gathering sometimes offers the possibility of accessing badly protected data about the enemy’s strategic facilities.

It is/would be useless to expect certainties about the time the enemy will need to carry out a cyberoffensive and what its effects on his opponent will be, given the level of resilience of the latter’s infrastructures in the face of an attack.

Many types of offensives need to be considered:

• discreet actions such as SQL injection or malware (Stuxnet, Wiper, Flame, miniFlame, Gauss, etc.) aimed at disrupting/distorting the operation of facilities, or stealing, distorting, or even destroying information;
• a visible attack, such as hacking, carried out through an intermediary if need be, with a view to paralysing equipment (disruptions of positioning or navigation assistance systems) or economic operations (blocking of bank transactions), or even to manipulate public opinion about the incompetence of leaders (government sites in denial of service or getting defaced, blocking of the Internet, etc.).
• data theft, with varying degrees of visibility, with the aim of getting money for them (Ransomware)

 

Aims pursued

In most cases, a cyberattack will not seek to destroy[1] the opponent as such, but to cause him harm, as well as to his systems or his data, often for purposes of revenge or in order to benefit from the effects in another area (the economy, reputation, etc.). The destruction of Web firms may increase however due to some economic models’ increasing dependence on information and communication technologies.

When the aim is to cause long-term harm, three angles of attack need to be taken into consideration:

• a simultaneous attack on several fronts to scatter enemy defences, with a view to hitting a maximum number of targets within minimal time;
• the suspension of attacks after a few hours to give the enemy the impression he is regaining control over the situation;
• the alternation of techniques to attack new targets, with a view to the psychological exhaustion of the enemy and the reduction of his cyberdefence capabilities.

 

Modes of action and objectives

Offensive modes of action (hacking) are chiefly characterized by their long-term planning and their ubiquity, starting from a few highly specialized abilities that can yet operate over time.

Consequently, the assailant will be in a position to field teams of technicians, who will be able to take turns for the duration of the attack. With equivalent technical know-how, it is these attacking teams’ resistance to stress, extended time and the level of nervous tension they bring that will make it possible to take the advantage in a digital offensive. It is an illusion to imagine that a single digital victory will be able to rout an opponent. For military IT facilities are resilient, are provided with plans for activity continuity, and their data are protected. As a result, once the attack has ended, most of the systems will be able to be restarted and to resume their activities.

NB: a deception cyberattack in support of a conventional attack without adequate means may “blind” the opponent for a while but, if he correctly interprets it as a diversion and if he has maintained his means of command, it is bound to fail.

What matters then is not to seek destruction, but to set up a disturbance which will, among other things:

• create a prolonged unavailability of access to services and data, so as to be in a position to disrupt management for a long time;
• create a doubt about the corruption or the integrity of data;
• block the opponent’s communication networks, Internet and telephone systems to isolate decision-making centres and break the chain of command;
• influence populations, especially through social networks, by carrying out real[2] campaigns of psychological war.

 

When doubt and misunderstanding take over, new priorities need to be considered: by complementing acts in the cyber realm, physical attacks against the opponent’s critical infrastructures can be carried out by conventional forces in order to take them over without destroying them, taking advantage of the disorganization in the opponent’s chain of command, which effectively limits his response capabilities. The main targets to be considered are datacentres, network arteries and hubs, and to a lesser extent, the sensors and operators in charge of infrastructures and maintenance.

On another level, a targeted cyberaction aimed at destroying all or part of a nation’s strategic infrastructures must belong among the scenarios that are more than likely. The interruption of vital streams (electricity, water, gas, means of communication) is a kind of attack which we must continue to guard against in a more efficient manner (resilient solutions). Attacks such as Stuxnet or Red October required the mobilization of specialists, who worked for months to design and test them before they made use of them. This is a high investment that can only be sustained today by a handful of nations in the world. The great sophistication of these weapons has allowed them to subsist for long periods within vital systems. Their detection by a cocktail mixing expertise, luck and chance raises more questions than it brings solutions.

How many other insidious weapons have already been planted to this day? What are the conditions to be met for them to activate? With what effects? And finally, how do we guard from them?

It is vital today to have the benefit of wise expertise, that is able to prevent and circumvent the effects of such weapons even when it cannot detect and dismember them in a competition where, like the white pieces at chess, the attackers will always be one move ahead.

To prevent and, if need be, face such threats, military operations nowadays systematically include a cyberfighting component in addition to the conventional areas of struggle as an extension of the electromagnetic area. For the level of interconnection of systems is such today that the misdeeds it is possible to perpetrate in cyberspace can affect all areas of operations from ever more interconnected wired and radioelectric networks.

One must admit that cyberwar will soon be, if it is not already, a first-strike weapon: the events experienced by NATO and the USA in the former Yugoslavia (1999), by Estonia (2007), and above all by Georgia (2008) give a simple idea of the damage that might be inflicted by a massive attack carried out, in a hyperconnected world, with sufficient technical cybermeans.

The attacks mentioned above were oriented towards denial of service (DDoS) and were not many-sided. The cyberconflicts for which we must prepare will be; taking measures to guard against damage incurred from several attacks of different types carried out simultaneously is therefore going to become a priority for armies.

 

Connected objects

Connected objects are plugged by wireless connection into a computer, a tablet or a smartphone. Their field of application has to do with the professional world as much as with the private sphere. Given their destination as utilitarian objects, their design has not sufficiently taken into account the necessary security imperatives. Yet it is simpler and more profitable to hack a connected object than a computer, since its connection is not secure and gives de facto access to the computer. Connected objects are ideal instruments to create “botnets”.

“Botnets” (zombie networks) are made up of terminals that can be manipulated remotely by a hacker. These networks gather many devices configured to launch at the same time, on the hacker’s orders, an attack that generally takes the form of denial of service (DDoS). The quantity of connected devices is infinite. To be more effective, such botnets are often transnational, which makes it more difficult for the authorities to act in unison to dismantle them. The power these zombie networks will soon attain is such that they will be in a position to be used as weapons to saturate or block communication networks. The IT capabilities needed to create botnets are accessible to an opponent without any high-level experts at its disposal. It is thus a weapon that is easy to create, relatively easy to use and within everybody’s reach, but which is not simple to guard against or to get rid of.

 

Cyberraiding war

In this context, cyberstakes must be taken into account at every moment in any systemic approach. New information and communication technologies make our everyday life simpler and have deeply altered trades and abilities, as was the case after every new technological revolution. After the sail relieved the galley slave, steam and then petroleum sacrificed rigging on the altar of the industrial world. Today, the digital revolution reduces human input, connecting the systems that the next revolutions (robotics and artificial intelligence) will expose a little more still. As a result, the prominence of cyberspace will be such that whoever masters it will also have the ability to impose his domination in other areas. Governments and security agencies have invested in this medium, but they are still largely undersized in terms of resources and abilities.

States are also acting discreetly and covertly in this medium. They are carrying out a full-fledged raiding war, mostly for intelligence purposes, but also with the aim of getting their hands on certain riches (data). The user is thus moving in cyberspace next to great fleets of pirates and “cyberprivateers”, seeking the protection of the latter and avoiding the former.

 

Data at the centre of the stakes

Massive data gathering on the part of public or private operators for surveillance, commercial (marketing) or illicit purposes has become generalized and continues to increase despite the publication of regulatory texts to protect private life. For these have but a limited scope geographically, which makes it easy for states to get around them, in the name of the struggle against terrorism, and likewise for business firms whose head office is located in a territory where the law does not apply. Consequently, a market for the brokerage of personal data has quickly been set up and is proliferating, as anybody can turn to it to buy personal data whose licit collection is prevented by the texts in force. Web operators have thus been taken to task by the authorities of several countries on the grounds of the illegality of the collected data, of their being held in bases located abroad, of their being communicated to third parties without the agreement of their legitimate owner. But in this space, humans, as users of these systems, remain the weak link in the chain.

To prepare for the future, institutions have set up a process that places expertise at the centre of the stakes, by raising stakeholders’ awareness, by training technicians and by getting equipped with facilities able to deal with the principal risks involved. The stakes in this area are huge, due to the fact that, aside from the autonomous systems with which businesses are equipped, more and more systems are connected. Eventually, with the advent of the Internet of connected objects, it is billions of connections that will multiply vulnerabilities. The stakes of mastering them are immense should we fail to reduce the risk in the face of new threats.

Manoeuvring in uncharted waters demands now more than ever that we navigate forward, think ahead and anticipate. The authorities in general and armed forces in particular have taken this threat into account and are attempting to give themselves every day the means to deal with it a little more, but they can neither protect all the players nor secure the immensity of space in the face of the pirates and privateers that move through it.

[1] Destruction of systems through attack remains a rare occurrence to this day.

[2] Handbook of Russian Information Warfare  – NATO Defence College (2016)